If you are reluctant towards disabling the ports you may choose to putting all "extra" switch ports in a VLAN that has its own DHCP server and doesn't route to anything else on your network. Then monitor that DHCP server for any leases and track down where people are randomly plugging in. Setup a captive portal on that VLAN explaining why they aren't able to browse the internet.

WPA can interface with 802.1X or RADIUS authentication servers to provide a more secure method of controlling access to the WLAN. Where WEP, or WPA in PSK mode, allows virtually anonymous access to anyone who has the correct key or password, 802.1X or RADIUS authentication requires users to have valid username and password credentials or a valid certificate to log into the wireless network.